On 05.12.2015 18:57, Florian Weimer wrote: > On 11/30/2015 05:14 PM, Jan Kurik wrote: >> We want to have Unbound server installed and running on localhost by >> default on Fedora systems. Where necessary, have also dnssec-trigger >> installed and running by default > > Would someone please clarify the proposal if Unbound would run as a > forwarder, or as a stand-alone recursive resolver? It depends on the network. If the resolvers from the DHCP are usable for DNSSEC, then these will be used as forwarders. Nevertheless, Unbound does the validation locally, so it will query for all the necessary data to build the chain of trust. In case the network-provided resolvers are not usable for DNSSEC, then Unbound is configured to do the recursion. In case this is blocked on the network, Unbound is configured to tunnel the DNS queries to Fedora public infrastructure over TCP (80, 443) or SSL (443), in which case this is similar to the first situation, when Unbound forwards queries to the resolvers, but does the validation locally. This is part of dnssec-trigger documentation, since it is used as the mean to reconfigure Unbound. Tomas > Thanks, > Florian > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx > -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D UTC+1 (CET) Red Hat Inc. http://cz.redhat.com -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
